
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<style>
BODY, P, DIV, H1, H2, H3, H4, H5, H6, ADDRESS, OL, UL, TITLE, TD, OPTION, SELECT {
 font-family: Verdana;
 
}

BODY, P, DIV, ADDRESS, OL, UL, LI, TITLE, TD, OPTION, SELECT {  
  font-size: 10.0pt;
  margin-top:0pt;  
  margin-bottom:0pt;  
} 

BODY, P {
  margin-left:0pt; 
  margin-right:0pt;
}

BODY {
  line-height: normal;

  margin: 6px;
  padding: 0px;
}

h6 { font-size: 10pt }
h5 { font-size: 11pt }
h4 { font-size: 12pt }
h3 { font-size: 13pt }
h2 { font-size: 14pt }
h1 { font-size: 16pt }

blockquote {padding: 10px; border: 1px #DDDDDD dashed }

a img {border: 0}

#doc-contents {
  background-color: #ffffff;
}


</style>


</head>


<body revision="dcmfsqd3_20d82hhw:83">

<div style=TEXT-ALIGN:center>
  <img align=middle src="../images/netfselogo.png">
</div>
<h1>
  Help
</h1>
<p>
  <br>
  This page documents the <a href=NetFSEClient.html>Net/FSE</a> web interface.
  The interface provides a search interface for multiple data types stored in
  Net/FSE. All processing is done on the server side so searches can be executed
  without slowing you down.<br>
</p>
<br>
<p>
  Topics covered in this document:
</p>
<ul>
  <li>
    <a href=#browsersupport id=c:0n title="Browser Support">Browser Support</a>
  </li>
  <li>
    <a href=#runningasearch id=emr2 title="Running a Search">Running a
    Search</a>
  </li>
  <li>
    <a href=#managingsearches id=sg75 title="Managing Searches">Managing
    Searches</a>
  </li>
  <li>
    <a href=#analyzingsearchresults id=h38i title="Analyzing Search Results">Analyzing
    Search Results</a>
  </li>
  <li>
    <a href=#usingtheoptions id=xi8: title="Using the Options">Using the
    Options</a>
  </li>
  <ul>
    <li>
      <a href=#whereandorderby id=lnh_ title="Where and Order By">Where and
      Order By</a>
    </li>
  </ul>
  <li>
    <a href=#exportingresults id=abf5 title="Exporting Results">Exporting
    Results</a>
  </li>
  <li>
    <a href=#mergingsearchresults id=uka1 title="Merging Search Results">Merging
    Search Results</a>
  </li>
  <li>
    <a href=#summaryview id=uka53 title="Summary View">Summary View</a>
  </li>
  <li>
    <a href=#timelineview id=uka54 title="Timeline View">Timeline View</a>
  </li>
</ul>
<p>
  <br>
</p>
<p>
</p>
<h2>
  <a id=hfn4 name=browsersupport></a>Browser Support
</h2>
<p>
  Firefox is the preferred browser although IE and Safari work as well. Contact
  <a href="mailto:support@packetanalytics.com">Packet Analytics support</a> if you are planning on using
  another browser or experience problems with one of our supported browsers.
</p>
<p>
</p>
<h2>
  <a id=ax1x name=runningasearch></a>Running a Search
</h2>
<p>
  To run a search, start by clicking on the <b>Search</b> tab. The format for
  entering timestamps is YYYY-MM-DD HH:MM:SS or YYYY-MM-DD (to search an entire
  day). Leaving the <i>End</i> field blank will search for the entire date or
  the exact timestamp specified in the mandatory <i>Start</i> field.
</p>
<p>
  <br>
</p>
<p>
  The <b>Types</b> section allows individual data types to be included or
  excluded from the search. Note that only types containing all search criteria
  fields will be returned in the results. For example, most web logs do not
  contain port information so searching on destination port will automatically
  exclude web logs, regardless of what is checked in the <b>Types</b> section.
</p>
<p>
  <br>
</p>
<p>
  The <b>Search Information</b> section is used to specify records to return in
  the search results. The <i>IP addresses and/or subnets</i> option allows for a
  space or line separated list of IP addresses to be specified. Subnets can be
  specified by omitting the trailing octets. For example, entering a value of
  10.1.1 will cause Net/FSE to search for IP addresses between 10.1.1.0 and
  10.1.1.255 (inclusive).
</p>
<p>
  <br>
</p>
<p>
  The <i>Search</i> options, <i>Src</i>, <i>Dst</i> and <i>Src and Dst</i>,
  define if the IP list should be searched as the source IP, destination IP or
  both respectively. The selecting the <i>Search Criteria</i> option, searches
  can be submitted to find records matching one or more criteria. Range searches
  are specified by entering a lower and upper bound in the two fields. For IP
  addresses, dot quads must be used.
</p>
<p>
  <br>
</p>
<p>
  Once the search fields have been filled in, enter an optional description in
  the <i>Notes</i> field. This description is useful when revisiting the result
  set in the future under the <b>Results</b> tab.
</p>
<p>
  <br>
</p>
<p>
  Click <i>Search</i> to execute the operation. The server will begin gathering
  results and the view will switch to the <b>Analysis</b> tab. The client will
  most likely show an empty table for each result type. This is normal as the
  server has just started processing the search and has not yet found any
  results. Check the <b>Results</b> tab to follow the progress of the
  search. When results are returned, click the <i>First</i> link to view
  results.
</p>
<br>
<p>
  Lastly, the number of records returned per data type can be specified using
  the <i>Per-Type Record Limit</i> field. The default value is 1,000,000
  records. Consider refining your search criteria if you expect more results
  than the default. Unchecking the <i>Unlimited</i> check box will ignore the
  limit value and put as many results into the database as are needed. Use
  caution when unchecking this check box.<br>
</p>
<p>
</p>
<h2>
  <a id=vtrn name=managingsearches></a>Managing Searches
</h2>
<p>
  Each search submitted is assigned a unique ID, allowing search results to be
  viewed as needed or shared with coworkers. The <i>Note</i> field is used to
  describe a search so that it can be located in the future. Click on the
  <b>Results</b> tab to see your current set of stored search results. Click on the 
  <b>History</b> tab to view your historical list of searches.
</p>
<p>
  <br>
</p>
<p>
  In the <b>Results</b> tab, the unique IDs of your searches are shown
  in the <i>Search ID</i> column. To browse results for a search, click the
  Search ID value of the Search you want to open. You can merge, delete and make
  search results permanent by selecting the checkbox associated with the search
  result and clicking a link in the <i>Actions </i>toolbar. The <i>Expires</i>
  column shows the date at which the search results will be deleted from the
   server, unless it has been made permanent. <b>Note:</b><i> The make permanent feature
  is disabled for the test drive.</i> Values in the <i>Note</i> field can be changed by clicking the
  displayed note text.&nbsp;
</p>
<p>
  <br>
</p>
<p>
  The <b>History</b> tab allows you to see the historical list of
  searches that you have performed using Net/FSE. The <i>Set</i> link will set
  the fields in the <b>Search</b> tab to the same options that were selected
  when the search was executed. The <i>Delete</i> link under the <i>Actions</i>
  toolbar will remove the selected search histories from the database, but not
  delete the search results (if any still exist), as that action is performed in
  the <b>Results</b> table.
</p>
<h2>
  <a id=h38i name=analyzingsearchresults></a>Analyzing Search Results
</h2>
<p>
  There are two ways to analyze search results in Net/FSE: by clicking a Search ID on an entry
  in the <b>Results</b> tab or by entering a
  Search ID using the <i>Open Search</i> link at the top of the interface.
  Although most users will only utilize the first option, the <i>Open Search</i>
  link is useful when collaborating with coworkers in data analysis. Any Search
  ID can be opened using this link, regardless of who generated the initial
  search.&nbsp;<br>
</p>
<br>
<p>
As Net/FSE does not normalize data, each data type is presented sepearatly in the <b>Results</b> tab. 
For each type there are two sections: the <i>Results</i> section and the <i>Summary</i> section. 
The <i>Results</i> section allows you to view individual records, sort the results, filter on specific criteria and export data to a CSV. 
The <i>Summary</i> section provides a statistical and visual overview of the data type. <a href=#summaryview>Information on the Summary</a> view is found below.
</p>
<p>
  <br>
</p>
<p>
  Clicking the <i>First</i> link will return the first results in the data set.
  Clicking <i>Next</i> will advance to the next page of results. As expected,
  the <i>Prev</i> and <i>Last</i> links return the previous records and last
  records in the data set respectively.
</p>
<p>
  <br>
</p>
<p>
  Column headers can be clicked to sort the displayed results in ascending
  order. Clicking again will sort the column in descending order. Use the
  <i>Order By</i> options for more advanced sorts (see below).
</p>
<p>
</p>
<h2>
  <a id=ns_r name=usingtheoptions></a>Using the Options
</h2>
<p>
  Click the <i>Options</i> link in the result header to display search and
  filter options for the data type. The <i>Where</i> and <i>Order By</i> options
  allow for SQL clauses to be added to sort and filter results. See the
  following section for information on using these fields.
</p>
<p>
  Also, the <i>Results per page</i> field allows you to change the number of
  records displayed on each page. Clicking OK will return you to the
  <b>Browse</b> tab and move to the beginning of the data set (as if
  <i>First</i> was clicked).
</p>
<p>
</p>
<h3 style=MARGIN-LEFT:40px>
  <a id=dv05 name=whereandorderby></a>Where and Order By
</h3>
<p style=MARGIN-LEFT:40px>
  These options allow for SQL <b>where</b> and <b>order by</b> clauses to be applied for data
  analysis. For more information on how to write SQL statements refer to
  <a href=http://www.postgresql.org/docs/ id=c._7 title="PostgreSQL's online documentation">PostgreSQL's
  online documentation</a>. All data types have a timestamp field with the
  column name 'startts' of type 'timestamp'. Click the <i>Schemas</i> link in the
  <i>Options</i> dialog box to view the schema for individual data types.
</p>
<p style=MARGIN-LEFT:40px>
  <br>
</p>
<p style=MARGIN-LEFT:40px>
  To use the <i>Where</i> field, enter a SQL <b>where</b> clause without the "where".
  Group by's are not supported. IP addresses must be entered as dot quads enclosed by single quotes. <b><br>
  </b>
</p>
<p style=MARGIN-LEFT:40px>
  <b>Example:</b> <i>srcip = '10.1.1.4'</i> or <i>srcip between
  '10.1.1.0' and '10.1.1.128'</i>
</p>
<p style=MARGIN-LEFT:40px>
  <br>
</p>
<p style=MARGIN-LEFT:40px>
  To use the <i>Order By</i> field, enter an SQL <b>order by</b> clause without the
  "order by" keywords. <b><br>
  </b>
</p>
<p style=MARGIN-LEFT:40px>
  <b>Example:</b> <i>startts desc, srcip asc</i> (sorts by start timestamp in
  descending order followed by source IP in ascending order)
</p>
<h2>
  <a id=gdv5 name=exportingresults></a>Exporting Results<br>
</h2>
At some point you will need to export data from an investigation to another tool
for additional analysis, burn it to a CD or create reports on an incident.
Each data type table in the <b>Analysis</b> tab has an <i>Export</i> link that
will generate a comma separated value (CSV) file to be downloaded to your
workstation. All sorting and selection criteria are preserved in the export
(i.e. Order By and Where information&nbsp; applies to the export, see above).
Note that because each data type has a different format and structure you will
have to perform an export for each data type in the search results.<br>
<br>
The exported file's format is very straightforward and makes import into a tool
like Excel very easy. The first row of the resulting file will be the field name
for each column from the underlying table structure for the data type. The
remaining rows will contain the data records in CSV format.<br>


<br>
<h2>
  <a id=j-3b name=mergingsearchresults></a>Merging Search Results
</h2>
Often it is necessary to run multiple searches over the course of an
investigation. At the end it is useful to have all the pertinent information
stored in the same place. Net/FSE allows for multiple search results to be
merged into a single result set. Simply check the Search IDs that you want to
merge in the <b>Results</b> tab and click
<i>Merge</i> under the <i>Actions</i> toolbar to begin the merge. The status of
search results being merged will then be set to "Merging". A popup window will
appear when Net/FSE finishes merging the results. This may take some time when
merging very large search result data sets.<br>

<br>
<h2>
  <a id=uka53 name=summaryview></a>Summary View
</h2>
<p>
The Summary view provides analysts with a statistical and visual overview of search results for each data type. 
A separate table is generated for the top 10 source IPs, destination IPs, destination ports and protocols. If a data type does not have all four fields then the unavailable summary tables will be left blank.
The computation of the summary table is directly affected by whatever filtering you have performed using the <i>Results</i> section for the individual data type.
For example, if the results are filtered to look for destination ports between 0 and 1024 then the Summary tables will be computed using these filters when <i>Refresh</i> is clicked.
</p>
<br>
<p>
Each of the four tables have the same layout. The Value column show the field value for the row, for instance a source IP or a port number. 
The Start column shows the number of records matching the given value at the beginning of the time range. 
The End column shows the number of records matching the given value at the end of the time range. 
The Low column shows the lowest number of records matching the given value in the time range. 
The High column shows the highest number of records matching the given value in the time range. 
The Total column provides the total number of records matching the given value over the time range.
Lastly, the % Activity column gives a percentage value of the total for the given value compared to the entire result set. 
</p>
<br>
<p>
In between the Start and End columns is a sparkline showing the activity level of the value across the time range. 
The other column values in the table provide the range and scale of the sparkline. 
These graphs are very useful for comparing related activity and looking for unusual behavior in the results. 
</p>
<h2>
  <a id=uka54 name=timelineview></a>Timeline View
</h2>
<p>
The Timeline view is used to view normalized events from multiple data sources in time order. Click 100, 500 or 1000 to view that many records from the currently opened search result. 
The Timeline view is most useful when you have already filtered and reduced a search result to a managable size. 
Options (where clauses and order bys) that are set in the Analysis tab will effect the results displayed in the timeline. 
</p>

<hr>
<div style=TEXT-ALIGN:center>
  <img align=middle src="../images/paclogo.gif">
</div></body>
</html>